Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST

Embedded Security © Prof. Dr. H. Schlingloff Symmetric keys with authentication server

Embedded Security © Prof. Dr. H. Schlingloff Kerberos key distribution protocol

Embedded Security © Prof. Dr. H. Schlingloff Structure 1. Introductory example 2. Embedded systems engineering 1.definitions and terms 2.design principles 3. Foundations of security 1.threats, attacks, measures 2.construction of safe systems 4. Design of secure systems 1.design challenges 2.safety modelling and assessment 3.cryptographic algorithms 5. Communication of embedded systems 1.remote access 2.sensor networks 6. Algorithms and measures 1.digital signatures 2.key management 3.authentication 4.authorization 7. Formal methods for security 1.protocol verification 2.logics and proof methods

Embedded Security © Prof. Dr. H. Schlingloff BAN Logic M. Burrows, M.Abadi, R. Needham: „A Logic of Authentication", ACM Transactions on Computer Systems, Vol. 8, No. 1, pp , February 1990  a formal method for verifying that two principals (people, computer, services) are entitled to believe they are communicating with each other and not the intruders Goal: Formally prove security of authentication protocols  make hidden assumptions explicit  exhibit design flaws  support trust in the correctness

Embedded Security © Prof. Dr. H. Schlingloff Main Purposes of BAN Logic BAN logic helps to prove whether or not a protocol does or does not meet its security goals BAN logic helps make the protocols more efficient by eliminating messages, contents of message, or encryptions of messages Despite eliminating them, the security goals still can be reached BAN logic helps clarify the protocol’s assumptions by formally stating them slides / text from BAN LOGIC BAN LOGIC

Embedded Security © Prof. Dr. H. Schlingloff Modal Logic of Belief BAN logic concentrates on the beliefs of trustworthy parties involved in the protocol and the evolution of these beliefs through communication processes The steps of BAN logic to analyze the original protocol are as follows: 1)The protocol is transformed into some “idealized” form 2)Identify the initial assumptions in the language of BAN logic 3)Use the postulates and rules of the logic to deduce new predicates 4)Interpret the statements you’ve proved by the process: Have the original goals been met?

Embedded Security © Prof. Dr. H. Schlingloff Formalism Basic Notation Formalism built on a several sorts of objects: principals, encryption keys, and formulas(statements) A, B, and S denote specific principals K ab, K as, and K bs denoted specific shared keys K b, K a, and K s denote specific public keys K b -1, K a -1, and K s -1 denote corresponding secret keys N a, N b, N c denote specific statements P, Q, and R range over principals X and Y range over statements K ranges over encryption keys

Embedded Security © Prof. Dr. H. Schlingloff Formalism P |  X P believes X. P would be entitled to believe X. The principal P may act as though X is true P  X P sees X. P can read the contents of X(possibly after decryption, assuming P has the needed keys) and P can include X in messages to other principals P |~ X P once said X: P at some time sent a message including the statement X. It is not known when the message was sent(in the past or in the current run of the protocol) but P believed that X was true when it send the message P |  X P controls X. P has jurisdiction over X. P is a trusted authority on the truth of X #(X) X is fresh. X is fresh if it is not contained in any message sent in the past

Embedded Security © Prof. Dr. H. Schlingloff Basic Notation K P  Q K is a shared key for P and Q. K is a secure key for communication between P and Q, and it will never be discovered by any principal except for P or Q, or a principal trusted by either P or Q. K |  P K is a public key for P. The matching secret key(the inverse of K, denoted by K -1 will never be discovered by any principal except P, or a principals trusted by P. {X} K X encrypted under K. It represents the message X encrypted using the key K.

Embedded Security © Prof. Dr. H. Schlingloff Formalism (Hilbert style) derivation system consists of axioms and inference rules “All human are mortal”, “Sokrates is human” |- “Sokrates is mortal” Statement Z follows from a conjunction of statements X and Y (X, Y) _________ Z

Embedded Security © Prof. Dr. H. Schlingloff Inference rules (1) Message meaning rule (MMR): Rule concerns the interpretation of messages. This rule helps to explain the origin of the messages. K P |  Q  P, P  {X} K ____________________________ P |  Q |~ X Nonce-verification rule (NVR): This rule checks that a message is recent, and also checks if the sender still believes in it. P |  #(X), P |  Q |~ X __________________________________ P |  Q |  X

Embedded Security © Prof. Dr. H. Schlingloff Inference rules (2) Jurisdiction rule (JUR): This rule states what it means for a principal to be the trusted authority on the truth of X. P |  Q  X, P |  Q |  X ________________________________ P |  X Belief Rules (BEL): The rules state that a principal believes a collection of statements if and only if it believes each of the statements individually. A) P |  X, P |  Y B) P |  (X, Y) ___________________ ___________________ P |  (X, Y) P |  X C) P |  Q |  (X, Y) etc. ____________________ P |  Q |  X

Embedded Security © Prof. Dr. H. Schlingloff Inference rules (3) Saying rules (SAY): These rules say that a principal sees all the components of every message it sees, provided that the principal knows the necessary key K A) P  (X, Y) B) P |  Q  P, P  {X} K ____________________ ______________________________ P  X P  X Freshness Rule (FRS): This rule states that any message with a fresh component is also fresh. P |  #(X) ____________________ P |  #(X, Y)

Embedded Security © Prof. Dr. H. Schlingloff Idealized Protocols Typical protocol step: P  Q : message Example: A  B : {A, K ab }K bs Transform each protocol into an idealized form 1.Omit the parts of the message that do not contribute to the beliefs of the recipient 2.Omit clear text communication because it can be forged Idealized version: Kab A  B : {A  B}K bs When message is sent to B it can be deduced that: Kab B  {A  B}k bs The receiving principle becomes aware of the message (sees the message) and can act upon it

Embedded Security © Prof. Dr. H. Schlingloff Goals of Authentication Authentication rests on communication protected by shared session key, so the goals of authentication may be reached between A and B if there is a K such that: K K A |  A  B B |  A  B However, often we want to achieve more: K A |  B|  A  B B |  A |  A  B principals are mutually convinced of authentity

Embedded Security © Prof. Dr. H. Schlingloff Steps in Protocol Analysis Derive the idealized protocol from the original one Write assumptions about the initial state Use the postulates and rules of the logic to deduce new predicates This is repeated through all the protocol messages Determine if goals of authentication have been met

Embedded Security © Prof. Dr. H. Schlingloff Analysis of Needham-Schröder Original version without idealization Message 1 A  S:(A, B, N A ) Message 2 S  A:{N A, B, K AB, {K AB, A}K BS } K AS Message 3 A  B:{K AB, A}K BS Message 4 B  A:{N B }K AB Message 5 A  B:{N B – 1}K AB Idealized version Kab Kab Kab (Msg2) S  A: A  {N A, (A  B), # (A  B), {A  B}K bs } K as Kab (Msg3) A  B: B  {A  B}K bs Kab (Msg4) B  A: A  {N B, (A  B)}K ab from B Kab (Msg5) A  B: B  {N B, (A  B)}K ab from A

Embedded Security © Prof. Dr. H. Schlingloff Initial assumptions Kas Kbs (ass1) A |  A  S (ass2) B |  B  S KasKbsKab (ass3) S |  A  S(ass4) S |  B  S (ass5) S |  A  B Kab Kab (ass6) A |  (S |  A  B) (ass7) B |  (S |  A  B) Kab (ass8) A |  (S |  #(A  B)) (ass9) A |  #(N a )(ass10) B |  #(N b ) Kab Kab (ass11) S |  #(A  B)(ass12) B |  #(A  B)

Embedded Security © Prof. Dr. H. Schlingloff Analysis (1) Kab Kab Kab (Msg2) A  {N a, (A  B), #(A  B), {A  B}K bs }K as Kas (ass1) A |  A  S K Rule (MMR): P |  Q  P, P  {X} K ____________________________ P |  Q |~ X With (ass1), (MMR) and (Msg2) : Kab Kab Kab (1) A |  S |~ (N a, (A  B), #(A  B), {A  B}K bs )

Embedded Security © Prof. Dr. H. Schlingloff Analysis (2) (ass9) A |  #(N a ) Rule (FRS): P |  #(X) _________ P |  #(X, Y) Hence: Kab Kab Kab (2) A |  #(N a, (A  B), #(A  B), {A  B}K bs )

Embedded Security © Prof. Dr. H. Schlingloff Analysis (3) Kab Kab Kab (1) A |  S |~ (N a, (A  B), #(A  B), {A  B}K bs ) Kab Kab Kab (2) A |  #(N a, (A  B), #(A  B), {A  B}K bs ) Rule (NVR): P |  #(X), P |  Q |~ X __________________________________ P |  Q |  X Kab Kab Kab (3) A |  S |  (N a, (A  B), #(A  B), {A  B}K bs )

Embedded Security © Prof. Dr. H. Schlingloff Analysis (4) Kab Kab Kab (3) A |  S |  (N a, (A  B), #(A  B), {A  B}K bs ) Rule (BEL): P |  Q |  (X,Y) __________________________ P |  Q |  X K ab (4) A |  S |  (A  B) and: K ab (5) A |  S |  #(A  B)

Embedded Security © Prof. Dr. H. Schlingloff Analysis (5) Kab Kab (4) A |  S |  (A  B) (5) A |  S |  #(A  B) Kab Kab (ass6) A |  (S |  A  B) (ass8) A |  (S |  #(A  B) Rule (JUR): P |  Q |  X,P |  Q |  X __________________________________ P |  X Kab Kab (6) A |  (A  B)and (7) A |  #(A  B)

Embedded Security © Prof. Dr. H. Schlingloff Analysis (6) Kab (Msg3) B  {A  B}K bs Kbs (ass2) B |  S  B (MMR) K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X Kab (8) B |  S |~ {A  B}K bs

Embedded Security © Prof. Dr. H. Schlingloff Analysis (7) Kab (ass12) B |  #(A  B) Kab (8) B |  S |~ {A  B}K bs We can apply (NVR): P |  #(X), P |  Q |~ X ______________________________________ P |  Q |  X And derive: Kab (9) B |  S |  {A  B}

Embedded Security © Prof. Dr. H. Schlingloff Analysis (8) Recall the Assumption: Kab B |  (S |  A  B) Also recall the derived formula above stating: Kab B |  S |  {A  B} We can apply the jurisdiction rule which is: P |  Q |  X,P |  Q |  X ____________________________________ P |  X And we can derive: Kab (10) B |  {A  B}

Embedded Security © Prof. Dr. H. Schlingloff Analysis (9) Now we can apply the logical postulate rules to the next message with assumptions Kab (Msg4) B  A: {N b, (A  B)} K ab We can then say that: Kab A  {N b, (A  B)} K ab We can use (SAY): P  (X,Y) _________________ P  X We can then derive that: Kab A  {(A  B)} K ab

Embedded Security © Prof. Dr. H. Schlingloff Analysis (10) previously we obtained: Kab A |  (B  A) Also recall the result that we just obtained the previous step: Kab A  {(A  B)}K ab We can apply the message meaning rule: K P |  Q  P, P  {X} k ___________________________ P |  Q |~ X Finally, we can deduce that: Kab A |  B |~ (A  B)

Embedded Security © Prof. Dr. H. Schlingloff Analysis (11) Recall a previous result we obtained: Kab A |  #(A  B) Also recall the result that we just obtained the previous step: Kab A |  B |~ (A  B) We can apply the nonce-verification rule: P |  #(X), P |  Q |~ X _______________________________________ P |  Q |  X We then obtain: Kab A |  B|  (A  B) In similar manner, we can also derive that: Kab B |  A|  (A  B)

Embedded Security © Prof. Dr. H. Schlingloff Conclusions of Analysis The goals of the Needham-Schroeder protocol are that A and B each believe that they share a secret key Kab and that moreover they each believe that the other believes it K K B |  A  B (msg 3) A |  A  B (msg 2) We also achieve this final goal: K K A |  B |  A  B (msg 4) B |  A |  A  B (msg 4) Our analysis achieves these results, since we have derived these goals. This authentication protocol has an extra assumption, which is that B assumes the key B receives from A is fresh. So Needham-Schroeder protocol had this flaw in it.

Embedded Security © Prof. Dr. H. Schlingloff Advantages of BAN Logic One of earliest successful attempts at formally reasoning about authentication protocols. Huge success for formal methods in cryptography, useful tool Uncovered implicit assumptions and weaknesses in a number of protocols Involves idealizing a protocol, identifying initial assumptions, using logical postulates to deduce new predicates and determining if the goals of authentication have been met. Strengths in its simplicity of its logic and its ease of use

Embedded Security © Prof. Dr. H. Schlingloff Deficits of BAN Logic Belief logic is much different from a knowledge logic. Knowledge logics have an axiom of the following form “If x knows p, then p is true.” However, belief systems do not have this axiom, since a belief in p says nothing about the truth or falsity of p. Assumption that all principals taking part in a protocol are honest, in the sense that each principal believes in the truth of each message it sends. However, honesty is not a logical assumption to make Vehicle for extensive research in the areas for basis and development of other logic systems